safety analysis profile
DESCRIPTION
A discussion of how to perform safety analysis of UML models, using a safety analysis profile that I developed.TRANSCRIPT
1
®
Safety Analysis Profile:Applying Safety to UML Designs
Bruce Powel Douglass, Ph.D.Chief EvangelistIBM Rational
IBM Software Group
© 2008 IBM Corporation
2
What is Safety?
Safety is freedom from accidents or losses. Safety is not reliability!
Reliability is the probability that a system will perform its intended function satisfactorily.
Safety is not security!Security is protection or defense against attack, interference, or espionage.
3
Safety-Related Concepts
Accident is a loss of some kind, such as injury, death, or equipment damage
Risk is a combination of the likelihood of an accident and its severity:
risk = p(a) * s(a) Hazard is a set of conditions and/or events that leads
to an accident.
4
Safety-Related Concepts
A failure is the nonperformance of a system or component, a random faultA random failure is one that can be estimated from a pdf, Failures are eventse.g., a component failure
An error is a systematic fault A systematic fault is an design errorErrors are states or conditionse.g., a software bug
A fault is either a failure or an error
5
Hazard Analysis
6
Safety Fault Timeline
Fault MTBF
Fault Tolerance Time
Safety Measure Execution
Fault Detection Time
safety-relatedfault occurs
tfault dectection
< tsafety measure execution
< tfault tolerance time
<< tMTBF
accidentexpected (ifunmitigated)
fault handled(mitigated)
second faultexpected
7
Safety Measures
Safety measures do one of the following:Remove the hazardReduce the risk, either by
Reducing the likelihood of the accident Reducing the severity of the accident
Identify the hazard to supervisory personnel so that they can handle it within the fault tolerance time
The purpose of the safety measure is to avoid accident or loss
8
Fault Tree Analysis (FTA)
Fault Tree Analysis determines what combinations of conditions or events are necessary for a hazard condition to
occur
9
Example Fault Tree Analysis
10
Design Redundancy for Safety
The key to safe systems is to analyze the system and to identify the conditions and events that can lead to hazards Fault Tree Analysis (FTA) determines what logical combination of events and conditions lead to faults By adding “ANDing-redundancy”, architectural redundancy can be added
11
Safety Metamodel The Safety Metamodel identifies and characterizes
the important concepts (and their metadata) and their relations
The metamodel serves as a blueprint for stereotypes in the profile
12
Safety Metamodel
13
Safety Metamodel (Operators)
14
Metaclasses FTA Node
Description: An abstract metaclass providing the Probabilty metaattribute and various relations
Base metaclass: ClassMetadata
Probability [0.0 .. 1.0] Fault
Description: An abstract metaclass representing a non-conformant behavior of some kind
Base metaclass: FTA NodeMetadata
MTBFMTBF Time Units
Basic FaultDescription: A fault that cannot be further decomposedBase metaclass: Fault
Undeveloped FaultDescription: A fault that may be, but not is, further decomposedBase metaclass: Fault
15
Metaclasses Required Condition
Description: A condition required as an input to an operator for a TRUE output Base metaclass: FTANode
Resulting Condition Description: A condition resulting from the combination of other conditions and faults Base metaclass: FTA Node
Hazard Description: A condition that inevitably leads to an accident or loss Base metaclass: FTA Node Metadata
Fault Tolerance Time Fault Tolerance Time Units Risk Severity Safety Integrity Level (SIL)
16
Metaclasses Requirement
Description: A capability or condition that must be satisfied by a system Base metaclass: Class (from SysML) Metadata
Text Id
Fault Source Description: A model element that can manifest a fault Base metaclass: Class Metadata
Fault mechanism: string
Safety Measure Description: A model element that can detect or extenuate a fault Base Metaclass: Class Metadata
Fault action time Fault detection time Fault time units Safety mechanism: string
17
Metaclasses Logic Flow
Description: A “carrier” of boolean value Base metaclass: Information flow
Logical Operator Description: An abstract metaclass for a function that performs logic on its inputs Base metaclass: Class
Unary Operator Description: A logical operator with a single input and output Base metaclass: Logical Operator
Binary Operator Description: A logical operator that takes two (or more) inputs to produce a single output Base metaclass: Logical Operator
Transfer Operator Description: A binary operator whose purpose is to “connect” logic across multiple
diagrams Base metaclass: Binary operator
18
Metaclasses TraceToReq
Description: A relation from an FTA node to a requirement Base metaclass: Dependency
ManifestsRelation Description: A relation from a Fault to a Fault Source or Class Base metaclass: Dependency
DetectsRelation Description: A relation from an FTA node to a Safety Measure that detects a fault Base metaclass: Dependency
ExtenuatesRelation Description: A relation from an FTA node to a Safety Measure that removes,
mitigates, or extenuates a fault Base metaclass: Dependency
19
Safety Example: SleepyTime Anesthesia Machine
20
System Use Case Model
21
Alarm Requirements
22
Display Requirements
23
Ventilator Subsystem Use Case Model
24
Ventilator Requirements
25
Hazard Table (generated)
26
FTA Hypoxia Hazard
Normal Event
Transfer Operator
Undeveloped Fault
Hazard
Basic Fault
AND operator
Resulting Condition
OR operator
27
FTA Gas Flow Problem
28
FTA Gas Connection Problem
29
Fault Table
30
Connecting FTA to Requirements (TraceToReq)
31
Fault-Requirement Matrix (generated)
32
Analysis Model of the SleepyTime Machine
33
Analysis Model of the Ventilator Subsystem
34
FTA Hypoxia Hazard with Design Elements
35
FTA Connection Problem with Design Elements
36
Fault-Source Matrix (generated)
37
Fault Detection Matrix (generated)
38
Hazard Analysis (generated external file) Pg 1
Hazard DescriptionFault tolerance time
Fault tolerance time units
Probability
Severity Risk
Safety integrity level
Hypoxia
The hypoxia hazard occurs when the brain and other organs receive insufficient oxygen. In a normal 21% O2 environment, death or irreversible injury occurs after five minutes of no oxygen. If the patient is breathing 100% for a significant period of time, this time is about 10 minutes.
5 minutes1.00E-
02 88.00E-
02 3
Overpressure
Overpressure can damage the lungs. This is an especially severe trauma, possibly fatal, to neonates.
200 milliseconds1.00E+0
4 43.00E+0
4 3
HyperoxiaHyperoxia problems are usually limited to neonates, where it can cause blindness.
10 minutes1.00E+0
5 44.00E+0
5 4
Inadequate anesthesia
Inadequate anesthesia leads to patient discomfort and memory retention of the surgical procedures. This is normally not life threatening but can be severely discomforting.
5 minutes1.00E+0
4 22.00E+0
4 2
Over anesthesiaOver anesthesia can lead to death.
3 minutes1.00E+0
3 44.00E+0
3 4
Anesthesia leak into ERAnesthesia leak can lead to short or, in smaller doses, to long-term poisoning of medical staff.
10 minutes1.00E+0
5 54.00E+0
5 5
39
Hazard Analysis (generated external file) Pg 2
Hazard Fault or event Fault type Fault description MTBF
MTBF time units Probability
Hypoxia Ventilator engaged NormalEvent
1
HypoxiaGas supply fault
BasicFault
This fault occurs when gas from a required source is unavailable. This may be due to any number of root causes, such as a stuck or closed valve, running out of gas or a leak.
1.00E+06 1.00E-06
Hypoxia Breathing circuit leak BasicFault
This fault occurs when a significant amount of gas leaks from the breathing circuit into the surrounding environment. This can lead to a poisoning hazard when the gas contains anesthetic drugs.
1.00E+03 1.00E-03
Hypoxia Ventilator pump fault BasicFault
This fault occurs when the pump internal to the ventilator no longer functions to shape the breath and push gas into the breathing circuit.
1.00E+06 1.00E-06
HypoxiaVentilator parameter setting wrong BasicFault
This fault occurs when a ventilator parameter is out of range. This includes: -I:E ratio -Tidal Volume -Respiration Rate -Inspiratory Pause -Maximum inspiratory pressure -Inspiration time
1.00E+04 1.00E-04
HypoxiaVentilator computation incorrect BasicFault
This fault occurs when an error in the software or a fault in a necessary resource (such as memory) results in an incorrect computation that in turn results in incorrect delivery of ventilation.
1.00E+05 1.00E-05
40
Hazard Analysis (generated external file) Pg 3
Fault or event Requirements Manifestors Detectors Extenuators
Gas supply fault REQ_BCM_01 GasValve GasFlowSensor Alarm
Gas supply fault REQ_VD_06
Gas supply fault REQ_VD_03
Gas supply fault REQ_VD_04
Gas supply fault REQ_VD_08
Breathing circuit leak REQ_VD_03
PressureSensor Alarm
Breathing circuit leak REQ_VD_04
Breathing circuit leak REQ_VD_06
Ventilator pump fault REQ_VD_06 Pump PumpController PumpController
Ventilator parameter setting wrongREQ_vent_limit_range_on_patient_mode PumpController
ProtectedCRCClass Alarm
Ventilator parameter setting wrongREQ_vent_parameter_out_of_range_setting
Ventilator parameter setting wrong REQ_Vent_confirmation
41
References to enhance your Harmony